The FBI has been tipped off about a novel cybercriminal operation in which a hacker managed not only to breach as many as 130,000 Asus routers, but is also scoring them as to how useful they might be for fraudsters.
This hacker’s selling access to those individual Asus devices—most of them based in the U.S.—for as little as a few dollars, so fraudsters can run their traffic through them, according to security researchers who told Forbes about their tip-off to the feds.
And the researchers tell Forbes he’s possibly “enriching” his offerings with separate databases, one containing personal information on 500,000 Americans, others full of stolen credit card details.
It’s all part of a novel scheme to give fraudsters a much better chance of pulling off identity thefts and using stolen credit cards without getting caught. If your router, personal data or credit card details are in the hacker’s growing piles of stolen data, it could mean you’re soon to become a victim.
Where’s the data being sold?
The data is being flogged over the website avatools[.]ru, which started operating in earnest in August last year and currently has around 100 active users, say Dina Haines and Cory Kujawski, who uncovered the illicit operation. Anyone visiting the site today will be greeted with a login page and a warning in Russian (translated by Google): “If you accidentally come in—run fools! You will be hacked.” Others who are interested in what’s inside are still welcome, though, the site reads.
On avatools[.]ru, access to tens or possibly hundreds of thousands of routers is on offer, according to Haines and Kujawski, intelligence analysts at cybersecurity company White Ops. They think the avatools[.]ru controller is selling the packages to fraudsters who want to use hacked routers to carry out fraudulent transactions via stolen credit card details.
The reasons for fraudsters to use such hacked routers are twofold. First, it masks the origin IP address of the fraudster. Second, fraud detection systems will block a transaction if it’s taking place outside of the geolocation where the card is normally used. So if a fraudster has access to either a router in a similar location to their victim’s typical transactions or their actual router, it’s much less likely their illicit purchase will be blocked.
Haines and Kujawski think the AvaTools[.org] owner is acting as a middleman assisting credit card fraudsters because he went a step further than most stolen data traders: He ran the IP addresses through a handful of publicly available fraud detection tools that can tell whether or not they’ve been abused before. Then each IP was given a score between zero and 100. The higher the number, the more likely they’ve been abused before, so fraudsters would want to avoid them. “This is quite the service,” says Kujawski. “I haven’t come across a server or service that offers this level of granularity within residential IP space.”
“It just gives you a better chance for a return on investment,” adds Haines.
The White Ops researchers believe that customers will select low-scoring fraud risk routers in a victim’s location and either get direct access to the devices, or route their traffic through them via a VPN before they buy items on stolen credit cards. Alternatively, the fraudsters could register entirely new credit cards with stolen identities, again in the right region and on a clean-looking IP address.
The hacker is selling this combination of hacked routers and fraud scores in packages via Qiwi, a Russian alternative to PayPal. They range in price, from around $3 to $15. For instance, access to a router with a zero risk score costs around $15.
To top it off, the hacker is also selling stolen credit card data and access to a database containing all kinds of information on 500,000 American citizens, including their name, address, social security number and date of birth. It’s unclear where all that data came from, though the researchers say it’s possible they were purchased via another illicit source.
Though the researchers haven’t found evidence of fraudsters combining all the data together to have a much better chance of stealing someone’s identity, they believe it’s possible, given the way in which Avatools[.]org has collected the information in one place. “The possibilities are endless when you have this level of detail on a person’s life,” they wrote in a report shown to Forbes ahead of publication.
How did the hacker find the routers?
The Asus routers were harvested when the Ava-Tools mastermind carried out mass scanning of the Web for those that contained a known vulnerability dating back to at least 2018, according to the researchers. Though patches are available for that vulnerability, the hacker relied on people not patching their systems and was then able to grab the IP addresses of at least 50,000 and up to 130,000 Asus devices. (Asus hadn’t responded to a request for comment at the time of publication.) From there, he exploited the routers to allow others to route their traffic through them, the White Ops analysts said.
The initial tip that the mass scanning was taking place came from a tweet via the @Bad_Packets account. The White Ops researchers then found a backup of the data retrieved from those scans and some of the hacker’s code, which also showed which routers had been successfully compromised.
Kujawski warns that it’s likely the hacker managed to break into other routers than those Asus models. In the same backup, there was code indicating he was attacking other devices from as many as 30 other vendors.
Who’s behind the hacks?
Haines and Kujawski also believe that because he leaked some personal information in that backup, they know who’s behind a crime: a Moldovan-based male who may well be working with a security professional. They aren’t revealing his name or age to Forbes, for fear of ruining any investigation, though they did tip off the FBI.
The FBI hadn’t responded to a request for comment. It’s unclear if any investigation is under way. The site remains operational, and Haines thinks more is to come.
“We believe that he’s setting up shop, like this is the start of everything,” Haines adds. “Every time we take a look. he’s got more and more [data]. The website is being updated; the databases are updated.
“These kind of operations are kind of going on unabated. And I think that’s because we are becoming very desensitized to the fact that our private data is just being thrown around out there.”